Is That You?

A new study shows why it’s so difficult to detect when an email account has been hijacked.

Cybersecurity email hacking illustration by Ellie Skrzat
You’ve got a hacker.

Photo illustration by Ellie Skrzat. Photos by Anatoliy Babiy/Thinkstock and shironosov/Thinkstock.

Email hijackers—they’re just like us! Set aside the fact that they want to steal your money and/or your email contacts, and it’s pretty difficult to distinguish the people who manually break into online accounts from their victims, according to a study done by researchers at Google and the University of California–San Diego that was presented last week at the Internet Measurement Conference in Vancouver. The researchers looked at manual account hijackings using several data sets spanning 2011 through 2014—including phishing emails received by Gmail users, phishing Web pages, phishing Google Forms, and the use and recovery of compromised Google accounts—to assemble an illuminating account of how and why these hijackings occur, and to generate some ideas about how they can best be stopped.

The study focuses solely on manual hijackings, which the researchers describe as less common (and more damaging) than automated hijacking attempts, in which botnets are used to spew huge volumes of spam from compromised accounts, but not as rare or damaging as targeted attacks, such as industrial or state-sponsored espionage efforts. Still, one of the interesting findings of the paper is just how rare these manual account hijackings are—Google’s data showed an average of nine incidents per million active Google users per day. In other words, when it comes to computer-based threats to worry about, this is pretty low on the list.

And in general, I tend to believe (and try to convince my trusting friends and family members) it’s good practice to assume that all of your email will—or at least could—be read by someone else in the future. This is not necessarily because you will land in the 0.0009 percent of Google users targeted by manual hijackers, but rather because emails are forwarded by recipients, scanned by employers, or easily accessed from poorly protected phones or laptops (my friends and family, of course, usually suspect that it will be me reading their email …). That kind of access to your email, where people you know—a friend, a colleague, a spouse—read something you never intended for their eyes, is, I suspect, much more common than nine in 1 million. And for what it’s worth, this ranks fairly high on my list of personal computer security concerns.

But the study from Google and UC–San Diego explicitly excludes incidents when accounts are compromised by someone the victim knows personally, or hijacked by means of physical access to the victim’s devices. The researchers’ focus raises an interesting question: Why would total strangers want access to my email in the first place, and how much should I care whether they get it?

The motivation for manual account hijackings is the same as for automated hijackings (and so much other criminal activity): money. But where botnet operators profit from sending high-volume spam, the researchers found that manual hijackers primarily make money by stealing banking information, holding accounts for ransom, or emailing the victims’ contacts with a woeful story and an urgent request for money. (“We were mugged last night in an alley by a gang of thugs on our way back from shopping, one of them had a knife poking my neck for almost two minutes and everything we had on us including my cell phone, credit cards were all stolen.”)

Before they can invent these colorful sob stories, however, the hijackers first have to get access to a victim’s account. This usually happens through website- and email-based phishing schemes soliciting submission of email and financial institution credentials, the study found. Given how long we’ve been hearing about the threat of phishing, it’s astonishing that when the researchers studied phishing pages set up to collect credentials through Google Forms, 13.7 percent of visitors actually completed the form (presumably, though not necessarily, providing accurate login information). So people still can’t reliably identify phishing emails and websites—and people are still responding—especially those of us affiliated with educational institutions: More than 99 percent of the phished email addresses the researchers identified were from .edu domains, perhaps because schools and universities tend to host their own email, and have less sophisticated spam filters than major mail providers. (That doesn’t mean you should breathe easy if you don’t use a .edu email account—just that you’re much less likely to find a phishing email in your inbox in the first place.)

Once they have your credentials, the hijackers spend about three minutes deciding whether it’s worth their time to exploit your account, according to the study’s analysis of hijacked Google accounts. To figure out whether you qualify—or proactively purge your account of potentially costly information—try searching your email for the top 10 hijacker search terms identified by the researchers: wire transfer, bank, transfer, bank transfer, wire, transferencia, investment, banco, and the Chinese characters for account statement. This won’t protect your friends and family from being hit up for cash by hijackers or from being hijacked themselves—the study showed that contacts of hijacked accounts were 36 times more likely to be hijacked than a random sample of users—but at the very least it might help secure your own financial assets.

The researchers conclude their study with a discussion of the different opportunities and tactics for combating manual hijacking, ranging from two-factor authentication, which forces hijackers to intercept multiple credentials across different technologies, to Google’s login time risk analysis system, which analyzes a variety of (undisclosed) features of a login attempt to assess whether it seems anomalous or in-character for the user. The authors strongly encourage users to sign up for Google’s two-factor authentication service, which they deem the “best client-side defense against hijacking.” However, perhaps the most insightful observation of their study is not about how to defend against hijacking but rather why it is difficult to defend against.

They write:

[W]hat manual hijackers do when interacting with Google’s services is not very different from what normal users do. Normal users also search their inboxes and read emails, set up email filters, and change their password and their recovery options. Thus the rules or models derived from those behaviors are not crystal clear and are certainly not high enough confidence to act upon easily.

In other words, the indicators that help identify automated hijacking—high volumes of outbound email messages, for instance—don’t apply to many of the manual incidents.

In fact, the study found that for 65 percent of victims, manual hijackers send at most five messages, though each is usually sent to a large number of recipients. For the compromised accounts they sampled, the researchers saw, on average, only a 25 percent increase in outgoing emails, but a 630 percent increase in distinct recipients, following a suspected hijacking. So the manual account hijackers look and think and sound too much like us for defenders to be able to find them. In this regard, small-scale cybercrime can actually be trickier to defend against than the larger-scale operations that—because of their size, their automated procedures, their machine-like profile—behave more clearly like different animals and leave more obvious clues for defenders.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.